b"\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Deanna Tanner Okun, Chairman\n                                        Irving A. Williamson, Vice Chairman\n                                        Charlotte R. Lane\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n\x0c         UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                             OFFICE OF INSPECTOR GENERAL\n                                     WASHINGTON, DC 20436\n\nVIA ELECTRONIC TRANSMISSION\n\n\n\nSeptember 29, 2011                                                       OIG-JJ-018\n\n\nChairman Okun:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report Audit of Incident\nManagement, OIG-AR-11-16. In finalizing the report, we analyzed management\xe2\x80\x99s comments on\nour draft report and have included those comments in their entirety in Appendix A.\n\nThis report contains eight recommendations for corrective action. In the next 30 days, please\nprovide me with your management decisions describing the specific actions that you will take to\nimplement each recommendation.\n\nThank you for the courtesies extended to my staff during this audit.\n\nSincerely,\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\x0c                          U.S. International Trade Commission\n\n                                              Audit Report\n\n\n                                        Table of Contents\nResults of Audit ............................................................................................. 1\n\nProblem Areas ............................................................................................... 1\n   Problem Area 1: The Commission does not have an incident response plan. .............. 1\n\n   Problem Area 2: The Commission does not have an incident detection program. ....... 4\n\nManagement Comments and Our Analysis ............................................... 5\nScope and Methodology................................................................................ 6\n\nAppendix A: Management Comments on Draft Report ......................... A\n\n\n\n\nOIG-AR-11-16                                         -i-\n\x0c\x0c                      U.S. International Trade Commission\n\n                                      Audit Report\n\n\n                                  Results of Audit\nDoes the USITC\xe2\x80\x99s incident management program provide senior management with\ndetailed, actionable information regarding security incidents?\n\nNo. USITC\xe2\x80\x99s incident management program does not provide senior management with\ndetailed, actionable information regarding security incidents.\n\nThe Commission\xe2\x80\x99s incident response plan lacks the specifics required to enable staff to\nsuccessfully respond to incidents. Incidents are being handled on an ad-hoc basis, and\nthe Commission does not have a method to use the knowledge gained from these\nincidents to avoid similar incidents in the future, or increase the speed and effectiveness\nof eradicating intrusions once detected.\n\nThe Commission does not have an incident response plan or an incident detection\nprogram. Without these key building blocks, it is not possible for senior management to\nreceive actionable information regarding security incidents.\n\n\n\n                                   Problem Areas\n\n                                       Problem Area 1:\n\n              The Commission does not have an incident response plan.\n\n\nThe Commission has a document that consists of 98 pages of largely redundant\nboilerplate from documents generated by the National Institute for Standards and\nTechnology (NIST), and inappropriately borrowed sections from documents defining the\nprogram mission of the U.S. Computer Emergency Readiness Team. U.S. CERT is a\ncomponent of the Department of Homeland Security whose mission is to \xe2\x80\x9cimprove the\nnation's cybersecurity posture, coordinate cyber information sharing and proactively\nmanage cyber risks to the nation.\xe2\x80\x9d An example of this includes the following passages\nfrom pages 78-79 of the Information Security Incident Response plan, dated March 2010,\nVersion 3.0:\n\n   \xe2\x80\xa2   Report on new and novel attack techniques used in the exploitation of systems;\n   \xe2\x80\xa2   Report on malicious code found in the wild to promote awareness and encourage\n       appropriate action;\n\n\n\n\nOIG-AR-11-16                                -1-\n\x0c                      U.S. International Trade Commission\n\n                                       Audit Report\n\n\n   \xe2\x80\xa2   Work with the community to develop tools and techniques to nullify the effects of exploits\n       as they occur\xe2\x80\xa6\n\nThese tasks are specific for the agency whose mission it is to help serve the government\ncommunity, but they are not appropriate for the Commission.\n\nWe spoke with several operational and network security technical staff about the\nInformation Security Incident Response plan, but we were unable to find anyone who had\nactually read, much less used this \xe2\x80\x9cplan.\xe2\x80\x9d\n\nIn developing this plan, the Commission focused on compliance with various regulatory\nstandards. A focus on compliance unfortunately can place a higher value on paperwork\ninstead of the actual strength of program implementation. The Commission\xe2\x80\x99s incident\nresponse plan contains all the right words, but it fails to detail a plan that is specific and\nuseful to the Commission.\n\nThe Commission recently discovered that Trojan software was installed on some of its\nsystems. While no information security program can be expected to deny all penetration\nattempts, this event demonstrated a lack of preparedness by the Commission to either\ndetect or respond to serious information security incidents.\n\nThe Commission\xe2\x80\x99s response to this incident highlighted a number of problems:\n\n   1. Not all systems at risk for the Trojan were checked by staff. Of the systems\n      checked by operational staff, records were not created detailing which systems\n      were checked by whom, at what time, and the methods used to check these\n      systems.\n   2. Users were not notified that their personal data had been stolen. A keystroke-\n      logging Trojan affected at least 59 Commission users since February, 2009. We\n      interviewed 6 of the affected users and asked whether they had been notified\n      about any security incidents involving their data. Several responded that their\n      hard drives had been swapped, but none were notified with any specifics of the\n      incident.\n   3. Despite detection on June 9, 2011, the Trojan software was still on the network as\n      late as July 8, 2011.\n\nAn effective incident response plan must include the tasks of checking all systems at risk,\nand of recording the actions taken to assess these systems. With sufficient planning, this\nwill ensure a comprehensive assessment, and can give the Commission confidence that\nthe impact of an incident is fully known and remediation is complete.\n\n\n\n\nOIG-AR-11-16                                  -2-\n\x0c                     U.S. International Trade Commission\n\n                                     Audit Report\n\n\nUsers must be notified when their data has been stolen. With a keystroke-logging\nincident such as that experienced recently, any activity the users performed on their\ncomputers was recorded and taken, including their credentials to login to banks, email,\nand other platforms. Users should be made aware of these types of incidents, so they can\nchange passwords or take other steps to protect themselves.\n\nDuring the response to the recent incident, remediation was performed by \xe2\x80\x9csneaker-net.\xe2\x80\x9d\nHelp Desk staff were assigned to physically walk to affected systems and replace their\nhard drives. It is inefficient to rely on this as a primary response. The attacker did not\nwalk into the building to install the software on each user\xe2\x80\x99s system; the Commission\xe2\x80\x99s\nprimary response should not employ such a slow, haphazard, and ineffective means of\nundoing his work. The Commission needs to develop and practice automated, high-speed\nsolutions to perform system-wide detection and removal of malware in the event of an\nincident.\n\nThe Commission has the tools and staff available to create an effective incident response\nprogram, but this will not happen unless the focus shifts from compliance to risk\nmanagement.\n\nRecommendation 1:\n\n   Develop a useful, concise incident response plan specific to the Commission's staff,\n   tools, and networks.\n\nRecommendation 2:\n\n   Develop a listing of all networks and systems to be checked when an incident occurs.\n\nRecommendation 3:\n\n   Record information regarding incident handling to include what was checked, who\n   performed the check, when these systems were checked, how they were checked, and\n   the results of these checks. If any systems are not checked, reasoning for doing so\n   should be recorded.\n\nRecommendation 4:\n\n   Develop a procedure to notify and counsel users when their systems have been\n   compromised.\n\n\n\n\nOIG-AR-11-16                               -3-\n\x0c                      U.S. International Trade Commission\n\n                                      Audit Report\n\n\nRecommendation 5:\n\n   Define a threshold to determine when an incident is widespread and ensure any\n   widespread incidents are communicated to all Commission staff.\n\n\n\n\n                                       Problem Area 2:\n\n            The Commission does not have an incident detection program.\n\n\nThe Commission\xe2\x80\x99s focus on compliance resulted in the assignment of staff to create or\noversee the creation of documentation. Staff were not assigned to analyze traffic and\ndetect abnormal activity. While sophisticated attacks are designed to avoid detection, all\nof them result in system changes and logged events that can lead to their detection. The\nTrojan attack had been generating error events on the firewall since March 2010, but\nbecause staff and systems were not dedicated to incident detection, the attack continued\nuntil June 2011. The incident was finally detected by a new member of the operations\nstaff during the testing of a new network analysis tool.\n\nThe Commission\xe2\x80\x99s antivirus detection software serves as a primary line of defense\nagainst malware such as that recently found. The antivirus in use by the Commission did\nnot detect the Trojan malware. Upon testing, it was found that antivirus software from\nother major vendors was able to detect the infection. One strategy organizations use is to\nemploy antivirus from multiple vendors to increase the probability of detection. The\nCommission can deploy antivirus from another vendor and perform repeated, scheduled\nscans of the fileservers to detect malware not identified by the antivirus product in use on\nworkstations.\n\nRecommendation 6:\n\n   Assign staff dedicated to the detection of incidents.\n\nRecommendation 7:\n\n   Improve monitoring so that staff are alerted to unexpected traffic being denied by\n   security infrastructure.\n\n\n\n\nOIG-AR-11-16                                -4-\n\x0c                     U.S. International Trade Commission\n\n                                     Audit Report\n\n\nRecommendation 8:\n\n   Implement weekly scanning of fileservers with antivirus software different than that\n   used on workstations and email systems.\n\n\n\n              Management Comments and Our Analysis\nOn September 27, 2011, Chairman Deanna Tanner Okun provided management\ncomments on the draft audit report. The Chairman agreed with our assessment that there\nare two problem areas in that the Commission does not have an incident response plan, and\nit does not have an incident detection program, and that the Commission will implement the\nrecommendations detailed to strengthen its incident management program. The\nChairman\xe2\x80\x99s response is provided in its entirety as Appendix A.\n\n\n\n\nOIG-AR-11-16                               -5-\n\x0c                      U.S. International Trade Commission\n\n                                        Audit Report\n\n\n                             Scope and Methodology\nScope:\n\n       \xe2\x80\xa2   This audit focused on the Commission\xe2\x80\x99s Incident Response program,\n           including a review of the Commission\xe2\x80\x99s documented procedures, and past\n           performance of incident management.\n\nMethodology:\n       1. Review documented procedures.\n       2. Assess documentation concerning prior incidents.\n       3. Interview program staff to assess their knowledge and roles related to incident\n          detection.\n       4. Analyze incident detection tools in use to assess their capabilities, and identify\n          potential gaps in coverage.\n       5. If evidence of previous incidents exists, contact users to gather information\n          concerning their experience, including guidance received by technical staff.\n\n\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\nOIG-AR-11-16                                  -6-\n\x0c               U.S. International Trade Commission\n\n                           Appendix A\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-11-16                  -A-\n\x0c\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used\nby architects, engineers, and actuaries as a measuring device.\n\x0c\x0c"